Reduced Traceability Electronic Message System and Method

ABSTRACT

An electronic messaging system and method with reduced traceability. An electronic message is separated into a message content and container (header) information. In one aspect, the message content and header information are entered by a user separately and transmitted from the user computer separately. In another implementation, the message content and header information are displayed separately. In yet another implementation, an electronic message is permanently automatically deleted from the system at a predetermined time.

RELATED APPLICATION DATA

This application is a continuation application of U.S. patent application Ser. No. 11/401,148, filed Apr. 10, 2006, and titled “Reduced Traceability Electronic System and Method,” which is incorporated by reference herein in its entirety. This application also claims the benefit of priority of U.S. Provisional Patent Application Ser. No. 60/703,367, filed Jul. 28, 2005, and titled “Method and System for Reducing Traceability of Electronic Messages,” which is incorporated by reference herein in its entirety.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the U.S. Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.

FIELD OF THE INVENTION

The present invention generally relates to the field of electronic messaging. In particular, the present invention is directed to a reduced traceability electronic message system and method.

BACKGROUND

Typically, an electronic message between two people is not private. It may travel along a public network, such as the Internet, and be susceptible to interception by unintended third parties. Messages are also logged and archived by the communication systems themselves. They may also be copied, cut, pasted, printed, forwarded, blind copied, or otherwise manipulated. This may give a message a “shelf-life” that is often uncontrollable by the sender or even the recipient. Surreptitious logging (e.g., by keystroke and message recording software) may occur by third parties that have gained unauthorized access to either the computer of the sender and/or the recipient. Electronic messages include the message content itself coupled to identifying information regarding the sender, the recipient, the location of the message, times and dates associated with the message, etc. This allows a third party that is logging messages, intercepting messages, or simply gaining access to the messaging system's logs or inbox archives to associate the potentially important identifying information (typically referred to as header information) with the message content. These are only some of the ways in which electronic messages can be misused. There is a demand for a system and method for reducing the traceability of electronic messages.

SUMMARY OF THE DISCLOSURE

In one implementation, a computer-implemented method of reducing traceability of an electronic message having header information and a message content is provided. The method includes providing at a first computer a first display including an interface allowing a first user to input an address of a recipient of an electronic message; receiving at the first computer an input of a recipient address from the first user; transmitting the recipient address from the first computer; providing a second display including an interface allowing the first user to input a message content, the first and second displays not being displayed at the same time; receiving at the first computer the message content from the first user; and transmitting the message content from the first computer, wherein the message content is transmitted from the first computer separately from the recipient address.

In another implementation, a computer readable medium containing computer executable instructions implementing a method of reducing traceability of electronic messages is provided. The instructions include a set of instructions for providing at a first computer a first display including an interface allowing a first user to input an address of a recipient of an electronic message; a set of instructions for receiving at the first computer an input of a recipient address from the first user; a set of instructions for transmitting the recipient address from the first computer; a set of instructions for providing a second display including an interface allowing the first user to input a message content, the first and second displays not being displayed at the same time; a set of instructions for receiving at the first computer the message content from the first user; and a set of instructions for transmitting the message content from the first computer, wherein the message content is transmitted from the first computer separately from the recipient address.

In yet another implementation, a system for reducing traceability of electronic messages is provided. The system includes a means for providing at a first computer a first display including an interface allowing a first user to input an address of a recipient of an electronic message; a means for receiving at the first computer an input of a recipient address from the first user; a means for transmitting the recipient address from the first computer; a means for providing a second display including an interface allowing the first user to input a message content, the first and second displays not being displayed at the same time; a means for receiving at the first computer the message content from the first user; and a means for transmitting the message content from the first computer, wherein the message content is transmitted from the first computer separately from the recipient address.

BRIEF DESCRIPTION OF THE DRAWINGS

For the purpose of illustrating the invention, the drawings show aspects of one or more embodiments of the invention. However, it should be understood that the present invention is not limited to the precise arrangements and instrumentalities shown in the drawings, wherein:

FIG. 1 illustrates one example of a schematic diagram of an exemplary system for electronic messaging depicting an initial electronic message being communicating from one user to another;

FIG. 2 illustrates one example of a computer environment that may be utilized to implement various aspects of the present disclosure;

FIG. 3 illustrates another example of a schematic diagram of another exemplary system and method of the present disclosure;

FIG. 4 illustrates another example of a schematic diagram of another exemplary system and method of the present disclosure;

FIG. 5 illustrates one example of a flow chart depicting one exemplary method according to the present disclosure;

FIG. 6 illustrates another example of a flow chart depicting another exemplary method according to the present disclosure;

FIG. 7 depicts an exemplary login display image;

FIG. 8 depicts an exemplary display image including a recipient address input portion;

FIG. 9 depicts an exemplary display image including an electronic message content input portion;

FIG. 10 depicts an exemplary display image including an electronic message listing portion; and

FIG. 11 depicts an exemplary display image including a reply message input portion.

DETAILED DESCRIPTION

The present disclosure provides a system and method reducing traceability of an electronic message. In one embodiment, header information and message content of an electronic message are displayed by a system and method of the present disclosure so that header information and message content are not displayed at the same time. As will be clear to one skilled in the art from the disclosure below, separation of header information from message content reduces the traceability of the electronic message. To further reduce traceability of an electronic message, header information may be automatically deleted at a first predetermined time and message content may be automatically deleted at a second predetermined time (e.g., after message content is viewed). In one example, the first and second predetermined times may occur sequentially (e.g., deleting header information upon displaying message content and deleting message content upon closing a display of message content), simultaneously (e.g., deleting message content and associated header information upon closing a display of message content), or out of order such that the second predetermined time occurs before the first predetermined time (e.g., displaying message content first, deleting message content, displaying header information, then deleting header information). These and other aspects of the present disclosure will be described in greater detail below with respect to various exemplary embodiments illustrated in FIGS. 1 to 11.

FIG. 1 illustrates one embodiment of a system 100 for electronic messaging depicting an electronic message 105 being sent from one user to another. System 100 may include any number of computers, such as the two user computers 110 and 115, coupled to a network 120. Network 120 facilitates communication between computer 110 and computer 115. In one example, system 100 may be a closed system that may utilize open network structures (e.g., the Internet) for communication with users, but that does not utilize open or third-party messaging systems (e.g., industry standard email) that may increase the chance of message logging and impact the recordless nature of an electronic message of the present disclosure. System 100 allows users of computers 110 and 115 to communicate with each other via one or more electronic messages, such as electronic message 105 over network 120. As will be described in further detail hereinafter, several aspects of system 100 reduce traceability of electronic messages, such as electronic message 105. In one example, electronic message 105 is automatically deleted from system 100 after it is viewed by the recipient to ensure that electronic message 105 cannot be forensically recreated and to ensure there is no record of electronic message 105 ever existing on system 100 thereafter.

Although computers 110 and 115 are illustrated as workstation computers, any well known computer may be utilized in creating and/or viewing electronic messages. Example computers include, but are not limited to, a personal computer, a workstation computer, a server computer, a laptop computer, a handheld device, a mobile telephone, a personal digital assistant (PDA), another computing device capable of communicating an electronic message via network 120, and any combinations thereof. System 100 may include one or more server computers. In one example, system 100 may reside substantially on a single server computer. In another example, system 100 may be distributed across two or more server computers. In yet another example, system 100 may be distributed across a plurality of user computers without a server computer, such as in a peer-to-peer environment. In one such example, components of a messaging system according to the present disclosure and/or their functionality (e.g., storage of header information and message content, display generation, reply generation, etc.) may occur at a recipient's user computer In still another example, system 100 may be distributed across one or more server computers and one or more user computers. One or more relay servers or other systems may be utilized between server computers and/or user computers.

FIG. 2 illustrates one example of a computing environment in the exemplary form of a computer 200 within which a set of instructions, for causing the computer to perform any one of the methodologies of the present disclosure, may be executed. Computer 200 may include a processing unit 205, a system memory 210, and a system bus 215 that couples various components including system memory 210 to processing unit 205. System bus 215 may be any of several types of bus structures including, but not limited to, a memory bus, a memory controller, a peripheral bus, a local bus, and any combinations thereof, using any of a variety of bus architectures. System memory 210 may include a read only memory (ROM) 220 and a random access memory (RAM) 225.

A basic input/output system 230 (BIOS), including basic routines that help to transfer information between elements within computer 200, such as during start-up, may be stored in ROM 220. Computer 200 may also include a storage/memory device 235 for reading and/or writing information. Example storage devices include, but are not limited to, a hard disk drive for reading from and/or writing to a hard disk, a magnetic disk drive for reading from and/or writing to a removable magnetic disk, an optical disk drive for reading from and/or writing to an optical media (e.g., a compact disc), and any combinations thereof. Storage/memory device 235 may be connected to bus 215 by an interface. In one example, storage/memory device 235 and associated computer-readable media provide nonvolatile storage of computer readable instructions, data structures, program modules, and/or other data for computer 200. It will be appreciated by those skilled in the art that other types of computer-readable media that can store data that is accessible by a computer in a volatile and/or non-volatile manner may also be used in an example operating environment. Examples of other types of computer-readable media include, but are not limited to, a magnetic cassette, a flash memory media (e.g., a card and a thumb-drive), a digital video disk, a Bernoulli cartridge, a random access memory (RAM), a read only memory (ROM), and any combinations thereof. A computer-readable medium, as used herein, is intended to include a single medium as well as a collection of physically separate media, such as, for example, a collection of compact disks or one or more hard disk drives in combination with a computer memory.

A number of program modules can be stored on storage/memory device 235, including, but not limited to, an operating system, one or more application programs, other program modules, program data, computer implemented instructions for carrying out the system and methodologies of the present disclosure, and any combinations thereof. A user may enter commands and information into computer 200 through one or more input devices, such as a keyboard 240 and/or a pointing device 245. Other examples of an input device include, but are not limited to a microphone, a joystick, a game pad, a satellite dish, a scanner, and any combinations thereof. These and other input devices may be connected to processing unit 205 through an interface 250 that is coupled to bus 215. Example interfaces for connecting an input device include, but are not limited to, a serial interface, a parallel interface, a game port, a universal serial bus (USB), an IEEE 1394 (Firewire) interface, a direct interface to system bus 215, and any combinations thereof.

A display device 255 may be connected to system bus 215 via an interface, such as a display generator/video adaptor 260. Example display devices include, but are not limited to, a cathode-ray tube (CRT) monitor, a plasma display, an LCD display, and any combinations thereof. In addition to a display device, a computer may include one or more other peripheral output devices, such as a speaker and a printer. A pen digitizer and an accompanying pen/stylus may be included in order to digitally capture freehand input. A pen digitizer may be separately configured or coextensive with a display area 265 of display device 255. Accordingly, a pen digitizer may be integrated with display device 255, or may exist as a separate device overlaying or otherwise appended to display device 255.

Computer 200 may include a network connection 270 for connecting to one or more of a variety of networks, such as network 120 of FIG. 1, and remote computer devices thereon. Example network connections may include, but are not limited to, a network interface card, a modem, and any combinations thereof. Example networks include, but are not limited to, a wide area network (e.g., the Internet, an enterprise network), a local area network (e.g., a network associated with an office, a building, a campus or other relatively small geographic space), a telephone network, a direct connection between two computing devices, and any combinations thereof. A network, such as network 120 may employ a wired and/or a wireless mode of communication. In general, any network topology may be used. It will be appreciated that FIG. 1 depicts only one instance of a system 100, and that other instances may be created where one or more computers utilize system 100. One or more communication protocols may be utilized with system 100 and/or with network 120. Example protocols include, but are not limited to, TCP/IP, Ethernet, FTP, HTTP, HTTPS, and any combinations thereof. In one example, a user of a computer, such as computers 110, 115 may access system 100 (e.g., on one or more server computers) utilizing a secure protocol as is well-known. A user computer, such as computers 110, 115 may utilize one or more software applications and/or one or more system based applications in communicating with system 100. Example software applications include, but are not limited to, a web browser (e.g., INTERNET EXPLORER, MOZILLA, and NETSCAPE), Java (e.g., J2ME), BREW, a direct access client (e.g., CITRIX), and any combinations thereof. Example system applications include, but are not limited to, MICROSOFT WINDOWS, UNIX, LINUX, APPLE operating system, X-WINDOWS, COCOA, POCKETPC, and PALM.

Referring to FIG. 1 an exemplary electronic message 105 is communicated by a sending user utilizing computer 110 to system 100 for further communication to a recipient user. Exemplary system 100 includes an electronic message receiver 125 for receiving one or more electronic messages, such as electronic message 105. Electronic message receiver 125 is in communication with an electronic message storage module 130. An electronic message storage module, such as electronic message storage module 130, stores electronic messages received by electronic message receiver 125 utilizing one or more particular data storage methodologies. Many data storage methodologies will be recognized by those skilled in the art and those chosen for use with an electronic message storage module according to the present disclosure may be based on the particular implementation of the messaging system and method. Example data storage methodologies may include, but are not limited to, one or more tables, a database, a file system, and any combinations thereof. In one example, as will be described in greater detail below, electronic message storage module 130 stores header (“container”) information and message content separate from each other to minimize correlation by a third party between identifying information regarding the electronic message (e.g., identification of sender, recipient, date/time of message, location of message) in the header information and the content of the message. In an alternate example, message content and header information may be stored together and separated during display. In one embodiment of the present disclosure, header information and message content are never stored or displayed together. In such a case, a correlation (e.g., a non-identifying message ID described in detail below) may be utilized to associate the two components.

Electronic message 105 as communicated to system 100 in the example of FIG. 1 includes a recipient address 135 and a message content 140. A recipient address, such as recipient address 135 may be an indicator that identifies a particular desired recipient of an electronic message, such as electronic message 105. In one example, a recipient address may be a unique identifier (e.g., a screen name, a login name, a messaging name, etc.) established specifically for use with system 100 at user registration with the system. In another example, a recipient address may be a pre-established electronic mail (email) address, text messaging address, instant messaging address, Short Messaging Service (SMS) address, a telephone number (e.g., a home, work, mobile telephone number), BLACKBERRY personal identification number (PIN), or the like, that is associated with the recipient and provided by a third-party provider. Example third-party providers include, but are not limited to, a web-based commercial fee and fee-free provider (e.g., YAHOO, HOTMAIL, AMERICA ONLINE, etc.), an Internet service provider (e.g., AMERICA ONLINE, MSN, cable operator, telephone company, etc.), a telephone provider (e.g., VERIZON, CINGULAR, etc.), BLACKBERRY provider, an employer, an educational institution, and other email providers. The third-party address may be chosen by a user as their unique identifier at registration. In an alternative embodiment, a sending user may know a third-party address of an intended recipient and use it as a recipient address when generating electronic message 105. In such an embodiment, it is possible that the intended recipient is not a registered user of system 100. In one example, system 100 may optionally include an external system communication generator 145 configured to send a notification message to the third-party system associated with the recipient address used with electronic message 105. External system communication generator 145 is in communication with the appropriate network for communication with the corresponding third-party address for delivering the notification message. In one example shown in FIG. 1, external system communication generator 145 is shown connected to the Internet. In one example, a notification message may include an indication that someone has sent the desired recipient an electronic message on system 100 and that the intended recipient may register to use system 100. The notification message may include directions (e.g., a hyperlink) to a publicly available portion of system 100 for registration.

An electronic message may be any electronic file, data, and/or other information transmitted between one or more user computers. An electronic message may include (e.g., as part of a message content) any of a wide variety of information including, but not limited to, text, an image, video (e.g., single play video utilizing an application, such as MACROMEDIA FLASH), binary, tabular data (e.g., a spreadsheet), rich text including variable font color, tables, etc.), audio (e.g., single play audio utilizing an application, such as MACROMEDIA FLASH), other types of data, and any combinations thereof. In one example, a message content of an electronic message may include embedded information. In another example, a message content of an electronic message may include an attached and/or linked file. In such an example with an attached and/or linked file, the attached and/or linked file may be automatically deleted from the messaging system after being viewed by a recipient. Typically, a message content, such as message content 140 does not include information that in itself identifies the message sender, recipient, location of the electronic message, or time/date associated with the electronic message.

System 100 may optionally include a message ID generator 150. As described in further detail below, message ID generator 150 may generate a message ID for each electronic message received by system 100. The message ID is associated with the corresponding message. A message ID is used to associate a container (i.e., header) information with a corresponding separately-stored message content. In one example, a message ID may be created using a unique 128 bit, randomly generated number. System 100 may include a correlation between header information and message content in a variety of ways including, but not limited to, a database, a lookup table, an entry in a file system, and any combinations thereof. Utilizing a message ID associated with an electronic message, such as electronic message 105, system 100 may handle (e.g., store, deliver, display, etc.) a header information and a message content of a particular electronic message separately with the ability to correlate the two at a later time. Thus, a message content may be handled without any of the identifying header information. A message ID may contain unique and/or non-unique information. For example, a message ID may include a sequence number (e.g., 1, 2, 3, 4, etc.) identifying a number of a message amongst a group of messages. A sequence number may be re-used. For example, when an electronic message with a sequence number of “1” is viewed and subsequently deleted, sequence numbers for remaining electronic messages may be adjusted so that the electronic message having sequence number “2” is renumbered to number “1” and so forth. In another example, a message ID may include a sequence number and a unique user identifier (e.g., a user ID, a login ID, etc.).

System 100 may optionally include a reply ID generator 155. As described further below, reply ID generator 155 generates a reply ID for each electronic message received by system 100. The reply ID associates an electronic message, such as electronic message 105, with the sender of the electronic message. In one example, a reply ID may include no information that in itself would identify a sender of an electronic message to a third party that does not have access to the correlation maintained by the messaging system. System 100 may include a correlation between a reply ID and a corresponding message sender in a variety of ways, including, but not limited to, a database, a lookup table, an entry in a file system, and any combinations thereof. In one aspect, a reply ID associated with an electronic message allows the header information and/or the message content of the electronic message to include no information about the sender of the message that itself provides a traceable identity of the sender. As described in more detail below, a recipient may still send a reply electronic message to the original sender. Additionally, a third-party that may intercept, log, or otherwise come in possession of the header information and/or the message content will not be able to trace the electronic message to the sender without also gaining access to the correlation maintained by system 100. A reply ID may include a variety of different identifiers that allow a messaging system, such as system 100, to direct a reply electronic message back to a sender of the original electronic message. In one example, a reply ID may be created using a randomly generated number (e.g., a 128 bit, randomly generated number).

System 100 includes a display generator 160 in communication with electronic message storage module 130. Display generator 160 is configured to provide information representing a display image for display on a user computer, such as user computers 110, 115. Example display images include, but are not limited to, a user login display, a display listing information representing available electronic messages for viewing, a display for entering an electronic message, a display of a message content of an electronic message, a display for entering a reply electronic message, and any combinations thereof. In one example, display generator 160 may be configured to utilize a message ID in generating a first information 165 representing a first display image including at least some of the header information for electronic message 105. Display generator 160 may also be configured to generate a second information 170 representing a second display image including message content 140 of electronic message 105. FIG. 1 illustrates first and second information 165, 170 communicated with computer 115 for display to a recipient user. In this example, display generator 160 generates first and second information 165, 170 in a manner that does not allow the first and second display images to be displayed at the same time. Separate display of header information and message content for an electronic message reduces traceability of the electronic message. In one aspect, screenshot logging at a computer, such as computer 115, may not capture both header information and message content simultaneously. Additionally, separation of header information and message content physically and/or temporally during communication to a user computer over an open network, such as the Internet, can thwart misuse of the electronic message by reducing the ability of intercepting both components of the electronic message.

Display generator 160 may utilize any of a variety of well known display generation methodologies and/or protocols for creating information representing a displayable image. Example methodologies/protocols include, but are not limited to, hypertext markup language (HTML), extensible markup language (XML), direct graphic generation, and any combinations thereof. In one example, system 100 resides on one or more server computers and display generator 160 includes and/or utilizes a web server application to generate information representing web-browser-displayable images that may be viewed by a user computer including a web browser. In another example, display generator 160 may be configured to instruct a browser or other application of a user computer displaying a display image according to the present invention to not cache any of the information related to the display image.

System 100 may further include a deletion module 175 in communication with electronic message storage module 130. Deletion module 175 is configured to delete header information and/or message content from system 100 after a predetermined amount of time. In one example, deletion module 175 is configured to automatically delete header information and corresponding message content immediately after the message content is displayed. In another example, a deletion module (e.g., deletion module 175) is configured to automatically delete header information upon display of a corresponding message content. In yet another example, a deletion module (e.g., deletion module 175) is configured to automatically delete message content upon a display of the message content being closed. In still another example, a deletion module is configured to automatically delete header information and/or message content, whether or not they have been viewed, after a predetermined time (e.g., twenty-four hours after being received). In still yet another example, a deletion module is configured to automatically delete header information and/or message content a predetermined time (e.g., twenty-four hours) after first being displayed. In a further example, a predetermined amount of time may include a predetermined number of viewings (other than a single viewing) of a particular electronic message (e.g., an electronic message is deleted after 20 views). In still a further example, a deletion module (e.g., deletion module 175) is configured to automatically delete header information upon display of a corresponding message content and to automatically delete message content upon a display of the message content being closed. Combinations of deletion protocols, such as these examples, are also contemplated.

In an alternate embodiment, system 100 may include a display-based keyboard generator 180. Display-based keyboard generator 180 is configured to generate a display-based keyboard that may be included with a display image generated by display generator 160. A display-based keyboard can be utilized by a user (e.g., through mouse click or touch screen depression) to input information (e.g., username, password, recipient address, message content) without the use of the standard keyboard associated with the user computer. In this way interception by keyboard (keystroke) logging hardware and/or software resident on the user computer, such as computers 110, 115, can be avoided. In one example, a display-based keyboard generator may utilize FLASH technology commercially available from Macromedia Inc. In another example, a display-based keyboard generator may utilize Java technology commercially available from Sun Microsystems. In one aspect a FLASH-based keyboard may randomly place spaces between characters in the on-screen keyboard to further prevent interception of the message. Although this is a relatively slow data entry method, a user can be more assured that their information is not being logged and/or intercepted.

System 100 may also optionally include a reply message receiver 185. Reply message receiver 185 is configured to receive a reply message to one or more original electronic messages viewed by a recipient. In one aspect, a sender of an original electronic message may be determined from an identifying characteristic included, or associated, with the electronic message. Example identifying characteristics include, but are not limited to, a reply ID, an email address, a username, a display name, login ID, and any combination thereof. In one example, a reply ID of the original electronic message may be utilized in generating a reply message. In one example, a reply message as communicated by computer 115 to system 100 need only include a message content 190. System 100 may include a reply generator 195. Reply generator 195 may be configured to utilize the original reply ID to associate message content 190 and any corresponding header information with the original electronic message sending user. Message ID generator 150 may be configured to generate a message ID for the reply electronic message (i.e., message content 190 and corresponding header information). Reply ID generator 155 may be configured to generate a new reply ID for the reply message and electronic message storage module 130 may store message content 190 and corresponding header information separately for later display to the user (original sender).

FIG. 1 illustrates only an exemplary embodiment of a messaging system and networking environment according to the present disclosure. As will be appreciated by those skilled in the art and as described herein, variations to system 100 and the network environment may be utilized in implementing the various aspects and methodologies of the present disclosure. FIGS. 3 and 4 illustrate alternate computing environments. FIG. 3 illustrates one embodiment of a messaging system 300 according to the present disclosure. System 300 includes a computing environment having a single server computer 310. User computers 315 and 320 communicate with server computer 310 via network 325. An electronic message 330 is communicated utilizing system 300. A reply electronic message 340 is also illustrated. FIG. 4 illustrates another embodiment of a messaging system 400 according to the present disclosure. System 400 includes a computing environment having two server computers 405, 410. User computers 415 and 420 communicate with server computers 405, 410 via network 425. An electronic message 430 is communicated utilizing system 400. A reply electronic message 440 is also illustrated. Server computers 405, 410 together perform the functionality of the single server computer 310 of FIG. 3.

Referring to FIGS. 3 and 5, an exemplary operation of a messaging system according to the present disclosure, such as system 300, can be described. A user may log into system 300 at computer 315 (step 505 of FIG. 5). For example, a user may access a web site or other networked interface associated with server 310. Server 310 may then provide information representing a display image (e.g., a web page) for display on computer 315 that allows the user to log into the system. In one aspect, a user of system 300 may have associated therewith a login ID and password for logging into system 300. FIG. 7 depicts an example login display 700 that may be used. In one aspect, system 300 may provide an instruction to a browser or other application on computer 315, or other computer viewing a display image according to the present disclosure, to not cache the information contained in the display image. Upon entry of a valid login ID and password, server 310 establishes a communications link with computer 315 (e.g., a key infrastructure, secure sockets layer (SSL), secure HTTP (HTTPS) or other secure or non-secure communications link). In one example, system 300 may utilize an email address as a login ID.

In one aspect, while a user is logged into system 300, a session may be established including the establishment of a session ID. A session and a corresponding memory may be utilized by system 300 to maintain certain information regarding the session and the user (e.g., user's identification information, a reply ID).

Upon proper login, the user may be presented with a session starting display image. One of skill in the art will appreciate that a variety of starting display images (i.e., pages) may be available for display to a user upon initial login to system 300. In one example, a display image for inputting an electronic message may be displayed. FIG. 8 illustrates one example of a starting display image 800. Display image 800 includes a first portion 805 for entering a recipient address or other identifier for one or more recipients of a message. Display image 800 also illustrates an “inbox” portion 810 for listing unread electronic messages on the system for the logged in user. In this example, an optional display name 815, “Mary Smith” for the logged in user is displayed. A display name may be the same or different from a corresponding login name and/or user address, and may or may not include identifying information regarding the user.

Upon entering a recipient address (step 510 of FIG. 5) and activating a button 820 or other trigger, a message content display screen, such as message content display screen 900 of FIG. 9 may be displayed. Display screen 900 includes a first portion 910 for inputting (step 515 of FIG. 5) a message content corresponding to the recipient address input at portion 805 of FIG. 8. In this example, the recipient address and the message content are entered on separate display screens. In another example, the recipient address and message content may be input on a single display image screen. Separation of the entry of the recipient address and message content further reduces the traceability of an electronic message by, in part, reducing the ability of logging at computer 315.

In an alternative embodiment, a display-based keyboard (as discussed above) may be included in an electronic message input displays, such as display images 700, 800, and 900. A user may use a mouse or other pointing device (e.g., a touchscreen display) to select characters being entered.

FIG. 9 illustrates an example message content 930 having been entered in portion 910. Upon completion of message content entry, a user may select button 840, or other indicator, to communicate message content 930 to server 310 (step 520 of FIG. 5). In one example, the recipient address may be communicated to server 310 separately from a corresponding message content at the time of entry. This may reduce the ability to intercept the entire electronic message during communication to server 310. In another example, the recipient address may be retained at computer 315 until the entry of corresponding message content in a subsequent display image. In one example, upon communication of the recipient address and message content 930, computer 315 retains no trace of the either the recipient address or message content 930. For example, each may exist only in random access memory (RAM), and possibly in virtual memory (e.g., a page file) established in a disk drive, at computer 315 from the time the user types the information until the loading of the next display image at computer 315, after which the information is effectively deleted. Referring to FIG. 3, electronic message 330 is illustrated as including a recipient address and message content that is communicated from computer 315 to server 310.

In an alternate embodiment, upon server 310 receiving electronic message 330, instructions associated with system 300 (e.g., instruction stored at server 310) generates a reply ID and associates the reply ID with electronic message 330 (step 525 of FIG. 5). Server 310 maintains a correspondence between the reply ID and the sending user. In one example, a new reply ID is created for each electronic message regardless of whether the sending user is the same as another electronic message. This enhances the reduced traceability of the electronic message.

In another alternate embodiment, at step 530, system 300 generates a message ID for associating the separated message content and header information of electronic message 330. Server 310 maintains a correspondence between the message content and header information.

At step 535, header information associated with electronic message 330 is identified for separation from message content 930. In one aspect, separation of information that identifies the sending user, recipient user, location of the electronic message, timing of electronic message from the message content may be implemented by associating such information with a container or header information component of the electronic message. In one example, utilization of a reply ID and a message ID can further facilitate the removal of information that itself identifies a sending user or recipient. A display name for the sending user may be generated and associated with the header information. The display name for the user need not be unique, thus maintaining the anonymity of the user when electronic message 330 is ultimately communicated to computer 320 or otherwise viewed by the recipient. In one example, system 300 replaces all information associated with electronic message 330 that could itself identify the sending user. In one embodiment, a predetermined display name for the sending user that does not provide unique identification of the sending user may be generated and associated with corresponding header information. In another example, system 300 may utilize a display name that includes information that uniquely identifies the sending user (e.g., login name, email address, etc.).

In one example, header information for a particular electronic message, such as header information, may include, but is not limited to, a reply ID, a message ID, a date/time associated with the electronic message (e.g., date/time of creation, date/time of delivery, etc.), a display name representing a sender of the electronic message, and any combinations thereof.

At step 540, an electronic message 330 is associated with a recipient represented by the recipient address. In one example, a location of the recipient is determined. As used herein, a location may include a message mailbox, a message server associated with the recipient, a computer associated with the recipient, an electronic address of the recipient, a display name for the recipient in system 300, or the like. For example, system 300 may identify a user by a variety of identities (e.g., display name, login ID, associated email address, text messaging address, instant messaging address, SMS address, mobile number, BLACKBERRY PIN, or the like) to determine a routing for electronic message 330. As discussed above, if the recipient is not a registered user of system 300, a notification may be sent to a third-party system of the existence of electronic message 330. For example, if the recipient is identified by a third-party email address, a notification may go to the email recipient over the third-party email network. Similarly, if the recipient is identified by a Blackberry PIN, a notification may go to the recipient over the Blackberry network.

At step 545, header information and message content are stored. In one example, header information and message content are stored separately from each other (e.g., in separate files, in separate databases, in separate tables, etc.). A message ID may be used to maintain a correspondence between the separated components of electronic message 330. Storage may occur in a variety of ways including, but not limited to, storage at a location of the recipient and storage at server 310. In one example, the header information and message content of electronic message 330 are stored in a storage medium of server 310 in separate tables.

In another example, each user of system 310 is assigned a storage directory (e.g., on a server, on a user computer such as in a peer-to-peer arrangement, etc.). Upon association of a user with the recipient address, the message content and header information for any electronic messages to that user may be stored in that user's storage directory. The following XML file definition illustrates an example of header information for two electronic messages stored in a user storage directory.

<?xml version=“1.0” encoding=“UTF-8” ?> <streams> <streamsummary id=“8C515D3B6A3A99C6C1A1F1DE019C7AB0”    from=“user one” datereceived=“1143660969”    replyid=“6C04279318E53F61A9D7984ADD4C3E1A /> <streamsummary id=“98F78AD49BFC35B36357850C107460DF”    from=“user four [mike.smith@onlinemail.com]”    datereceived=“1143665437”    replyid=“0648B99BE6F9E5AB21F3A163AD242173” /> </streams>

The above file definition includes a message ID (“streamsummary id”), a display name (“from”), date received, and reply ID for each message in the recipients storage directory. Note that as an implementation variation, the sending user of the second message has associated therewith a display name, “user four”, which includes a reference to an email address, mike.smith@onlinemail.com. This email address may or may not be associated with an actual email account of a third-party system, and may or may not provide actual identifying information related to the sending user. The following message content XML file is stored separately in the storage directory from the above header information.

<?xml version=“1.0” encoding=“UTF-8” ?> <message id=“8C515D3B6A3A99C6C1A1F1DE019C7AB0” ” subject=“”> <text>This is my first message to you.</text> </message>

The following second message content XML file is stored separately in the storage directory from the header information.

<?xml version=“1.0” encoding=“UTF-8” ?> <message id=“98F78AD49BFC35B36357850C107460DF” subject=“”> <text>This is a reply message to your message from Monday.</text> </message>

Each of the message content XML files includes the corresponding message ID for correlation back to the corresponding header information. Each message content XML file also includes the message content. One skilled in the art would recognize other storage methodologies for separating header information from message content that are consistent with the present disclosure.

Referring again generally to FIG. 5 at step 550 to describe the retrieval of an electronic message by a user, a recipient user logs into system 300 using computer 320. A display image similar to that in FIG. 7 may be utilized as a login display. In one example, upon entry of a valid login ID and password, a communication link between computer 320 and server 310 is established. At step 555 of FIG. 5, a display image having header information is communicated (e.g., from server 310 to computer 320. System 300 provides a display image to computer 320 representing at least some of the header information associated with any electronic messages associated with the recipient user. FIG. 10 illustrates an example display image 1000 including a recipient address input portion 1005 and a message listing portion 1010. Message listing portion 1010 includes a list of header information 1015, 1020, 1025 of three electronic messages. Message listing portion 1010 includes a display name and a date/time received for each of header information 1015, 1020, 1025. Each message container (or header information) 1015, 1020, 1025 may also includes an association to a message ID and an association to a reply ID (although, not displayed in display image 1000). Message content for each electronic message is not displayed via display image 1000.

FIG. 3 illustrates header information and a message content for electronic message 330 being communicated to computer 320. In this example, header information 1015 represents electronic message 330.

In an alternate embodiment, the header information communicated to computer 320 may include a sequence number (ex: 1, 2, 3, etc.) assigned to each electronic message associated with a particular user and/or sent to a particular computer. In such an embodiment, each sequence number may be associated in system 300 with the corresponding message ID. The message ID may be removed from the corresponding header information and/or message content. In this manner, system 300 may avoid sending a message ID to a user computer and instead may send the sequence number, which may be reused when a message is deleted and is, therefore, less traceable from the user computer.

At step 560, a user may select one of the electronic messages indicated by header information 1015, 1020, 1025 (e.g., by selecting a corresponding “read” indicator in message listing 1010). At the time of selection, the message content for each electronic message may not have been communicated to computer 320. In one example, message content may be communicated to computer 320 along with corresponding header information (but, not displayed). In another example, message content may be retained at server 310 until a second request from a user is sent to server 310 to view a message content of a particular electronic message. In such an example, computer 320 requests a message content for a selected electronic message (e.g., electronic message 330 via header information 1015) from server 310. In response to this action, server 310 may associate a message ID from the selected header information and communicate the message content having the corresponding message ID to computer 320. Alternatively, where a sequence number is utilized for each electronic message, server 310 associates the sequence number of the selected electronic message with a corresponding message content and communicates the message content to computer 320.

At step 565, a display image including the message content, but none of the header information, is provided at computer 320. FIG. 11 illustrates one example display image 1100 presenting message content, independent of header information, for electronic message 330 upon the selection of header information 1015 in display image 1000 of FIG. 10. Display image 1100 includes a message content portion 1110 including the message content of electronic message 330. Display image 1100 also includes a reply message input portion 1120.

In one alternate embodiment, display image 1100 may employ FLASH technology to display the message content. For example, display image 1100 may require the user to “park” the on-screen cursor in an area in display image 1100 to see the message content, which may be displayed as a Flash movie. Should the cursor be moved, the displayed message content will be hidden from view on the screen to allow the user to quickly prevent the message content from being seen by onlookers. Also, this technology may also be utilized to prevent the message content from being printed using the web browser or application print because the message content will be hidden as soon as the user moves the mouse in attempt to print. In another example, the use of Cascading Style Sheets (CSS) may allow the portion of the display image including the message content to be not shown or hidden during printing.

Referring to FIG. 5, at step 570, the electronic message, such as electronic message 330, is automatically permanently deleted from server 310 at a predetermined time at step 565. In one example, header information is deleted from server 310 upon its communication to computer 320, and then the corresponding message content is deleted from server 310 upon its communication to computer 320. In such an example, once message list 1010 is displayed to a user, the user must view the message content during that session. To achieve the ability to view one message content and return to message list 1010, the header information for non-viewed electronic messages may be retained in memory at computer 320. In another example, header information is retained at server 310 until the corresponding message content is viewed, at which point both the header information and the message content is deleted from server 310. A reply ID for a particular electronic message may be retained in memory of server 310 (e.g., in response to a request for viewing a message content, server 310 may associate a current session ID with the reply ID) until the display image that displays the corresponding message content is closed by the user. This will allow a user to utilize reply message portion 1120 of display image 1100 to reply to the current message content without having to have a unique address for the original sender associated with the message content on computer 320. FIG. 3 illustrates a server-based system. Deletion from an alternate system, such as a peer-to-peer system, may include deletion of an electronic message from storage at a user computer.

As discussed above, other examples of deletion times for deletion from a system, such as system 300, include, but are not limited to, automatic deletion of header information and corresponding message content immediately after the message content is displayed, automatic deletion of header information upon display of a corresponding message content, automatic deletion of message content upon a display of the message content being closed, automatic deletion of header information and/or message content (whether or not they have been viewed) after a predetermined time (e.g., twenty-four hours after being received), automatic deletion of header information and/or message content a predetermined time (e.g., twenty-four hours) after first being displayed, and any combinations thereof. In one example, system 300 is configured to require a given deletion scheme (e.g., automatic permanent deletion of an electronic message upon displaying the electronic message and/or one or more of its components) regardless of a desire of a sending and/or recipient user.

One example of a deletion algorithm appropriate for deletion of electronic messages from system 300 include, but is not limited to, US Department of Defense (DoD) clearing and sanitizing standard DoD 5220.22-M. In an alternative embodiment, server computer 310 may delete an electronic message, such as electronic message 330 and the corresponding reply ID from its own memory if the recipient fails to retrieve the electronic message within a predetermined amount of time.

In one example, after viewing the message content, the user may select a button 1130 on display image 1100 to return to the message listing (e.g., message listing 1010 of FIG. 10), or otherwise close the display image (step 575 of FIG. 5). In another example, after viewing the message content, the user may choose to respond to electronic message (step 580 of FIG. 5), as will be described in further detail hereinafter. If the user fails to respond to the message content within a predetermined amount of time (e.g., 1 hour) an associated reply ID may be deleted from server 310. If the user chooses to return to the listing of messages, the message content may be automatically deleted from the recipient's computer 320 after viewing (step 585 of FIG. 5). For example, the message content will exist only in RAM, and possibly in virtual memory established in the disk drive, in computer 320 from the time the user views the message content until the loading of the next screen into computer 320, after which the message is effectively deleted. Furthermore, in one example, the listing of messages (e.g., message listing 1010 of FIG. 10), will no longer include the header information for a particular electronic message (e.g., header information 1015 of electronic message 330) that has been deleted from server 310, and the session ID will no longer include reference to the reply ID. In other words, the user will not be able to view that message again or reply to the message once it has been deleted. For example, FIG. 12 illustrates message list 1010 after electronic message 330 has been deleted from server 310 and computer 320.

In an alternative embodiment, electronic messages may be sent, stored, and/or retrieved using encryption technology. Various encryption technologies are known to those skilled in the art. For example, a combination of public and private encryption keys may be utilized by users and the system to further ensure security and reduce traceability of electronic messages until deletion.

Referring to FIGS. 3 and 6, operation of system 310 in optionally sending a reply message 340 from user computer 320 to user computer 315 can be described. As shown for example in FIG. 11, the recipient user of the original electronic message (e.g., electronic message 330) may choose to reply to the message utilizing reply message input portion 1120. Reply message input portion 1120 allows a user to input a message content for a reply message. In this example, there is no need to input a recipient address as an original reply ID may be utilized by system 300 in determining the routing of the reply electronic message. After the user completes reply message input portion 1120, he or she may select the “send stream” button 1140. In response, computer 320 communicates the reply message content to server computer 310 (step 605 of FIG. 6). After the reply message content is communicated, computer 320 retains no trace of the message's existence. For example, the message will exist only in RAM, and possibly in virtual memory established in the disk drive, in computer 320 from the time the user types the message until the loading of the next screen into computer 320, after which the message is effectively deleted. In an alternative embodiment, a display-based keyboard, as discussed above, may be utilized as part of display image 1100 for inputting reply message content.

In one example, upon receipt of the reply message content, server 310 determines the reply ID for the original message (e.g., from the current session ID), and uses the reply ID to associate the electronic message with the user that sent the original message 330 (step 610 of FIG. 6). This may be accomplished in a variety of ways including, but not limited to, a lookup table, a database, or the like, which provides a correlation between the reply ID and the sender of the initial message. At step 615, system 300 then deletes the initial reply ID (e.g., the reply ID for message 330) from server 310's memory. In an alternate embodiment, the identity of the sender of an original electronic message may be determined from another identifier associated with the electronic message (e.g., display name, login ID, associated email address, text messaging address, instant messaging address, SMS address, mobile number, BLACKBERRY PIN, or the like).

Next at step 620, the server 310 may generate another reply ID and associate the reply ID with reply message 340 in a similar fashion as discussed above for electronic message 330. Server 310 may also generate another message ID, which establishes a correlation between the message content of reply message 340 and header information for reply message 340. Header information and message content for reply message 340 are handled and stored similarly as described above with respect to electronic message 330. Reply message 340 may be viewed by its recipient in the same manner as original electronic message 330 was viewed.

Advantageously, the system 300 allows the users of the computers 315 and 320 to have a private conversation over network 325. After messages, such as electronic message 330 and reply message 340, are communicated the sender leaves no proof of the message on his or her computer. In one example, after the recipient views the message (or at another predetermined time), the message no longer exists on system 300, thus ensuring that the message cannot be forensically recreated and ensuring that there is no record of the message remaining on system 300. In another example, no copies of an electronic message are ever delivered to a user computer. In such an example, only non-caching display images of header information and message content are displayed separately. The header information and message content may be immediately, automatically, and permanently deleted from the system upon display. Once each display image is closed, the information is gone forever. Thus, in this example, there is never a copy on the user computer to be archived, forwarded, copied, pasted, etc. In another aspect, separate display of header information and message content prevents a single screen capture at a user computer from creating a complete record of the electronic message. In yet another aspect, a system and method according to the present disclosure may provide an end-to-end recordless electronic messaging system that upon the deletion of the electronic message leaves no trace of the message content, header information, or the fact that it was created, existed, delivered, viewed, etc.

FIG. 4 is a schematic diagram depicting a system 400 having an alternative network topology. The embodiment of FIG. 4 is substantially similar to that of FIG. 3, except that system 400 of FIG. 4 employs two message servers 405 and 410 operably coupled to user computers 415 and 420 by one or more networks 425. In the embodiment of FIG. 4, the two message servers 415 and 420 together perform the tasks previously described for the single message server 310 of FIG. 3. For example, in the method for sending the initial message 330, message server 405 may perform steps 505 to 535 and a portion of step 540 of FIG. 5, while message server 410 acts as the “recipient location” and performs a portion of step 540 and steps 545 to 585 of FIG. 5. It will be appreciated that both servers 405 and 410 may keep track of the reply ID and both servers 405 and 410 delete the message after it has been passed along. This arrangement is particularly useful where message servers 405 and 410 are each associated with a different enterprise, business organization, LAN, or the like.

It is to be noted that the above described aspects and embodiments may be conveniently implemented using a conventional general purpose computer programmed according to the teachings of the present specification, as will be apparent to those skilled in the computer art. Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art.

Such software can be a computer program product which employs a storage medium including stored computer code which is used to program a computer to perform the disclosed function and process of the present invention. The storage medium may include, but is not limited to, any type of conventional floppy disks, optical disks, CD-ROMs, magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards, or any other suitable media for storing electronic instructions.

Exemplary embodiments have been disclosed above and illustrated in the accompanying drawings. It will be understood by those skilled in the art that various changes, omissions and additions may be made to that which is specifically disclosed herein without departing from the spirit and scope of the present invention. 

1. A computer-implemented method of reducing traceability of an electronic message having header information and a message content, the method comprising: providing at a first computer a first display including an interface allowing a first user to input an address of a recipient of an electronic message; receiving at the first computer an input of a recipient address from the first user; transmitting the recipient address from the first computer; providing a second display including an interface allowing the first user to input a message content, the first and second displays not being displayed at the same time; receiving at the first computer the message content from the first user; and transmitting the message content from the first computer, wherein the message content is transmitted from the first computer separately from the recipient address.
 2. A method according to claim 1, further comprising: receiving the recipient address and message content at a second computer; and storing the recipient address and message content until display to a second user.
 3. A method according to claim 2, wherein the recipient address is stored separately from the message content.
 4. A method according to claim 2, wherein said storing of the recipient address and the message content includes storing the header information and the message content using one or more server computers.
 5. A method according to claim 1, wherein the method is performed so that following said transmitting of the message content and said transmitting of the recipient address, no indication of the electronic message is left on the first computer.
 6. A method according to claim 1, further comprising: providing a third display including at least a portion of header information associated with the electronic message to a second user via a second computer; in response to a first request from a second user, providing a fourth display including the message content via the second computer, such that when the message content is being displayed that no header information is displayed at the same time.
 7. A method according to claim 6, further comprising: automatically deleting the header information at a first time that occurs in a period starting at the time of the first request and ending with the time of termination of the fourth display; and automatically deleting the message content at a second time that occurs after the first time.
 8. A computer readable medium containing computer executable instructions implementing a method of reducing traceability of electronic messages, the instructions comprising: a set of instructions for providing at a first computer a first display including an interface allowing a first user to input an address of a recipient of an electronic message; a set of instructions for receiving at the first computer an input of a recipient address from the first user; a set of instructions for transmitting the recipient address from the first computer; a set of instructions for providing a second display including an interface allowing the first user to input a message content, the first and second displays not being displayed at the same time; a set of instructions for receiving at the first computer the message content from the first user; and a set of instructions for transmitting the message content from the first computer, wherein the message content is transmitted from the first computer separately from the recipient address.
 9. A computer readable medium according to claim 8, further comprising: a set of instructions for receiving the recipient address and message content at a second computer; and a set of instruction for storing the recipient address and message content until display to a second user.
 10. A computer readable medium according to claim 9, wherein the recipient address is stored separately from the message content.
 11. A computer readable medium according to claim 9, wherein said storing of the recipient address and the message content includes storing the header information and the message content using one or more server computers.
 12. A computer readable medium according to claim 8, wherein no indication of the electronic message is left on the first computer after the transmission of the recipient address and message content from the first computer.
 13. A computer readable medium according to claim 8, further comprising: a set of instructions for providing a third display including at least a portion of header information associated with the electronic message to a second user via a second computer; a set of instructions for in response to a first request from a second user, providing, in response to a first request from a second user, a fourth display including the message content via the second computer, such that when the message content is being displayed that no header information is displayed at the same time.
 14. A computer readable medium according to claim 13, further comprising: a set of instructions for automatically deleting the header information at a first time that occurs in a period starting at the time of the first request and ending with the time of termination of the fourth display; and a set of instructions for automatically deleting the message content at a second time that occurs after the first time.
 15. A system for reducing traceability of electronic messages, the system comprising: a means for providing at a first computer a first display including an interface allowing a first user to input an address of a recipient of an electronic message; a means for receiving at the first computer an input of a recipient address from the first user; a means for transmitting the recipient address from the first computer; a means for providing a second display including an interface allowing the first user to input a message content, the first and second displays not being displayed at the same time; a means for receiving at the first computer the message content from the first user; and a means for transmitting the message content from the first computer, wherein the message content is transmitted from the first computer separately from the recipient address.
 16. A system according to claim 15, further comprising: a means for receiving the recipient address and message content at a second computer; and a means for storing the recipient address and message content until display to a second user.
 17. A system according to claim 16, wherein the recipient address is stored separately from the message content.
 18. A system according to claim 16, wherein said storing of the recipient address and the message content includes storing the header information and the message content using one or more server computers.
 19. A system according to claim 15, wherein no indication of the electronic message is left on the first computer after the transmission of the recipient address and message content from the first computer.
 20. A system according to claim 15, further comprising: a means for providing a third display including at least a portion of header information associated with the electronic message to a second user via a second computer; a means for in response to a first request from a second user, providing, in response to a first request from a second user, a fourth display including the message content via the second computer, such that when the message content is being displayed that no header information is displayed at the same time.
 21. A system according to claim 20, further comprising: a means for automatically deleting the header information at a first time that occurs in a period starting at the time of the first request and ending with the time of termination of the fourth display; and a means for automatically deleting the message content at a second time that occurs after the first time. 